[PATCH] BNX2I: Fixed NULL ptr deference for 1G bnx2 Linux iSCSI offload
This patch fixes the following kernel panic invoked by uninitialized fields in the chip initialization for the 1G bnx2 iSCSI offload. One of the bits in the chip initialization is being used by the latest firmware to control overflow packets. When this control bit gets enabled erroneously, it would ultimately result in a bad packet placement which would cause the bnx2 driver to dereference a NULL ptr in the placement handler. This can happen under certain stress I/O environment under the Linux iSCSI offload operation. This change only affects Broadcom's 5709 chipset. Unable to handle kernel NULL pointer dereference at 0008 RIP: [881f0e7d] :bnx2:bnx2_poll_work+0xd0d/0x13c5 Pid: 0, comm: swapper Tainted: G 2.6.18-333.el5debug #2 RIP: 0010:[881f0e7d] [881f0e7d] :bnx2:bnx2_poll_work+0xd0d/0x13c5 RSP: 0018:8101b575bd50 EFLAGS: 00010216 RAX: 0005 RBX: 81007c5fb180 RCX: RDX: 0ffc RSI: 817e8000 RDI: 0220 RBP: 81015bbd7ec0 R08: 8100817e9000 R09: R10: 81007c5fb180 R11: 00c8 R12: 7a25a010 R13: R14: 0005 R15: 810159f80558 FS: () GS:8101afebc240() knlGS: CS: 0010 DS: 0018 ES: 0018 CR0: 8005003b CR2: 0008 CR3: 00201000 CR4: 06a0 Process swapper (pid: 0, threadinfo 8101b5754000, task 8101afebd820) Stack: 000b 810159f8 0040 810159f80520 810159f80500 00cf00cf8008e84b c200100939e0 810009035b20 5029 00be0001 8100817e7810 00d08101b575bea8 Call Trace: IRQ [8008e0d0] show_schedstat+0x1c2/0x25b [881f1886] :bnx2:bnx2_poll+0xf6/0x231 [8000c9b9] net_rx_action+0xac/0x1b1 [800125a0] __do_softirq+0x89/0x133 [8005e30c] call_softirq+0x1c/0x28 [8006d5de] do_softirq+0x2c/0x7d [8006d46e] do_IRQ+0xee/0xf7 [8005d625] ret_from_intr+0x0/0xa EOI [801a5780] acpi_processor_idle_simple+0x1c5/0x341 [801a573d] acpi_processor_idle_simple+0x182/0x341 [801a55bb] acpi_processor_idle_simple+0x0/0x341 [80049560] cpu_idle+0x95/0xb8 [80078b1c] start_secondary+0x479/0x488 Signed-off-by: Eddie Wai eddie@broadcom.com Cc: sta...@kernel.org --- drivers/scsi/bnx2i/bnx2i_hwi.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/drivers/scsi/bnx2i/bnx2i_hwi.c b/drivers/scsi/bnx2i/bnx2i_hwi.c index 86a12b4..3878e62 100644 --- a/drivers/scsi/bnx2i/bnx2i_hwi.c +++ b/drivers/scsi/bnx2i/bnx2i_hwi.c @@ -1264,6 +1264,9 @@ int bnx2i_send_fw_iscsi_init_msg(struct bnx2i_hba *hba) int rc = 0; u64 mask64; + memset(iscsi_init, 0x00, sizeof(struct iscsi_kwqe_init1)); + memset(iscsi_init2, 0x00, sizeof(struct iscsi_kwqe_init2)); + bnx2i_adjust_qp_size(hba); iscsi_init.flags = -- 1.7.7.4 -- You received this message because you are subscribed to the Google Groups open-iscsi group. To post to this group, send email to open-iscsi@googlegroups.com. To unsubscribe from this group, send email to open-iscsi+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.
Re: [PATCH] BNX2I: Fixed NULL ptr deference for 1G bnx2 Linux iSCSI offload
On 08/21/2012 12:35 PM, Eddie Wai wrote: This patch fixes the following kernel panic invoked by uninitialized fields in the chip initialization for the 1G bnx2 iSCSI offload. One of the bits in the chip initialization is being used by the latest firmware to control overflow packets. When this control bit gets enabled erroneously, it would ultimately result in a bad packet placement which would cause the bnx2 driver to dereference a NULL ptr in the placement handler. This can happen under certain stress I/O environment under the Linux iSCSI offload operation. This change only affects Broadcom's 5709 chipset. Unable to handle kernel NULL pointer dereference at 0008 RIP: [881f0e7d] :bnx2:bnx2_poll_work+0xd0d/0x13c5 Pid: 0, comm: swapper Tainted: G 2.6.18-333.el5debug #2 RIP: 0010:[881f0e7d] [881f0e7d] :bnx2:bnx2_poll_work+0xd0d/0x13c5 RSP: 0018:8101b575bd50 EFLAGS: 00010216 RAX: 0005 RBX: 81007c5fb180 RCX: RDX: 0ffc RSI: 817e8000 RDI: 0220 RBP: 81015bbd7ec0 R08: 8100817e9000 R09: R10: 81007c5fb180 R11: 00c8 R12: 7a25a010 R13: R14: 0005 R15: 810159f80558 FS: () GS:8101afebc240() knlGS: CS: 0010 DS: 0018 ES: 0018 CR0: 8005003b CR2: 0008 CR3: 00201000 CR4: 06a0 Process swapper (pid: 0, threadinfo 8101b5754000, task 8101afebd820) Stack: 000b 810159f8 0040 810159f80520 810159f80500 00cf00cf8008e84b c200100939e0 810009035b20 5029 00be0001 8100817e7810 00d08101b575bea8 Call Trace: IRQ [8008e0d0] show_schedstat+0x1c2/0x25b [881f1886] :bnx2:bnx2_poll+0xf6/0x231 [8000c9b9] net_rx_action+0xac/0x1b1 [800125a0] __do_softirq+0x89/0x133 [8005e30c] call_softirq+0x1c/0x28 [8006d5de] do_softirq+0x2c/0x7d [8006d46e] do_IRQ+0xee/0xf7 [8005d625] ret_from_intr+0x0/0xa EOI [801a5780] acpi_processor_idle_simple+0x1c5/0x341 [801a573d] acpi_processor_idle_simple+0x182/0x341 [801a55bb] acpi_processor_idle_simple+0x0/0x341 [80049560] cpu_idle+0x95/0xb8 [80078b1c] start_secondary+0x479/0x488 Signed-off-by: Eddie Wai eddie@broadcom.com Cc: sta...@kernel.org --- drivers/scsi/bnx2i/bnx2i_hwi.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/drivers/scsi/bnx2i/bnx2i_hwi.c b/drivers/scsi/bnx2i/bnx2i_hwi.c index 86a12b4..3878e62 100644 --- a/drivers/scsi/bnx2i/bnx2i_hwi.c +++ b/drivers/scsi/bnx2i/bnx2i_hwi.c @@ -1264,6 +1264,9 @@ int bnx2i_send_fw_iscsi_init_msg(struct bnx2i_hba *hba) int rc = 0; u64 mask64; + memset(iscsi_init, 0x00, sizeof(struct iscsi_kwqe_init1)); + memset(iscsi_init2, 0x00, sizeof(struct iscsi_kwqe_init2)); + bnx2i_adjust_qp_size(hba); iscsi_init.flags = Seems ok to me. Reviewed-by: Mike Christie micha...@cs.wisc.edu -- You received this message because you are subscribed to the Google Groups open-iscsi group. To post to this group, send email to open-iscsi@googlegroups.com. To unsubscribe from this group, send email to open-iscsi+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.